Send generic responses from the api to the client or be more specific in the response?
Example: User Credentials Validation
the field
password sent it from the client doesn't match the password stored in the DB. Should i send a generic message in the response? like Invalid Credentials or i can be more specific like field 'password' is invalid.
Same idea to others validations errors too... should i specifically tell the browser what was wrong with the request?
Is there a convention in this situation? I mean... i can be specific about validation errors, others types of errors i should be more generic for security reasons.10 Replies
Are you using these responses for a user facing message or something internal for you to manage?
if user facing, then I think something more generic like
Invalid Credentials is just finethe browser will be receiving the responses
got it
user facing => what it will show in the interface
internal => intercepting the API response and modifying it for the interface
both go to the browser, just one is "do i modify the response" or "just give the unfiltered response
ooh
so yeah, it'll be something internal
Now I would recommend for something like registration, that you would specify the field that is wrong like if it doesn't pass rules that you've defined, but for a login, just something generic is easier
I've seen some error messages like
That user wasn't found but to me that is different than saying "you didn't type something correctly," so just saying the credentials are invalid or similar feels the most accurate without accidentally giving db fields outgot that
thank you andrew
oh i created this question in the frontend field... my bad
backend would've been more appropriate
i mean teeeeechnically its a frontend problem 😉
i mean teeeeechnically it's a #discussions topic since it's not code-related 😜
But to answer the question: if the user could somehow see the error message, you want it to be as generic as possible, otherwise a malicious actor could use the information in a malicious way.
For example, if it's printed to the console or stored in memory,
Invalid credentials is about as specific as you want to get. If you say invalid password then the end user knows the username exists. If it's the person trying to log in, they already know they exist, but a hacker is usually guessing and you just gave away potentially sensitive information about your service and a user.
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#incorrect-and-correct-response-examplesI have one question… Like Andrew said, even though i’ll be using the api response internally to create a UI error… In this case, can’t the user just open devtools, send a resquest and see the response on the network tab?
or the https protocol will encrypt that? i’ve never work with a production environment 😂, so i have a beginner view
thank you so much for this article beck
If the error message makes it to the front end it should be generic. Full stop. If it only stays on the back-end for logging in your database then you can be more specific.